Re: restrict reset of Admin Password

From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 03/11/04

• Next message: james: "SQL2K & IIS5.0 on the same box - best practice"
• Previous message: Andy Fish: "command line encryption for win2k"
• In reply to: Altria: "restrict reset of Admin Password"
• Next in thread: Altria: "Re: restrict reset of Admin Password"
• Reply: Altria: "Re: restrict reset of Admin Password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Mar 2004 15:30:15 GMT

Server operators and account operators can not reset or otherwise modify
user accounts that are administrators, though other administrators in the
domain can or anyone in the enterprise admins group for the forest. You
could also look into AD delegation at the domain or OU level that will allow
you to delegate many rights to a user without special group membership
including adding computers and users to the domain. At the domain or OU
level right click the container and select delegate to start the delegation
wizard which includes common tasks and also allows you to add custom tasks.
Also look in help for delegate or delegation. --- Steve

"Altria" <urbantec92@msn.com> wrote in message
news:#uFrYs3BEHA.3344@tk2msftngp13.phx.gbl...
> Hello All,
> Is there a way that I can have my staff not be able to reset the Admin
> password and leave them with group membership of server operators and
> account operators. I give these priviledges to them so that they are able
to
> join computers and users onto the domain during rollout. Or is it better
to
> create a temporary account and delete it afterwards with the appropriate
> permissions. In most cases what priviledges are given to support staff? I
> would like to limit as much as I can but I would like them to get on with
> thier daily duties?
> My Main concern is the Admin password reset though.
> TIA,
> Altria
>
>

• Next message: james: "SQL2K & IIS5.0 on the same box - best practice"
• Previous message: Andy Fish: "command line encryption for win2k"
• In reply to: Altria: "restrict reset of Admin Password"
• Next in thread: Altria: "Re: restrict reset of Admin Password"
• Reply: Altria: "Re: restrict reset of Admin Password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Account Operators Group ... Per the article Account Operators cannot manage users that are members of ... Server Operators ... If you have users that are not members of any of these groups, ... delegation of control wizard ... (microsoft.public.win2000.active_directory) Re: Mapping to W2003 user rights/access? ... > when it comes to access/user rights. ... I believe Clustering should need maximum Adminrights on the Cluster. ... > 6) Is there a granular delegation setting or something ... I wouldn't even use Account Operators, ... (microsoft.public.windows.server.migration) built-in abilities ... Backup files and directories ... Share and stop sharing directories ... be a member of Server Operators AND Account Operators. ... (microsoft.public.security) Re: built-in abilities ... > be a member of Server Operators AND Account Operators. ... > - Change the system time ... You already know that each of these privileges can be enabled or disabled as ... (microsoft.public.security) Re: delegate admin rights to an OU ... which would mimic Backup operators, Server operators,... ... achieved with delegation of control wizard. ... install programs that need local admin rights: Server operators ... domain" and delegate him control for appropriate tasks in OU. ... (microsoft.public.windows.group_policy)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint